The article SSL Enabling OWA 2003 using your own Certificate Authority which I wrote in the beginning of 2004 is one of the most popular articles published here on MSExchange.org (at the time of this writing it has 402 votes with an average rating of 4.6). This should make any author satisfied, but what’s the reason behind the success? Well one of the answers seems to be that readers don’t want to spend hundreds of dollars on things like SSL certificates; you would rather spend a little more time securing OWA if it can be done for free.
Time has come to write one more article covering another cool method you can use to secure your OWA site or virtual directories by enabling SSL. I’m going to show you how to get your hands on a Free SSL certificate from a 3rd party provider! And no, I don’t mean one of those 30 day trials money hungry providers such as VeriSign etc. call free certificates. How cool is it to get a free 30 day trial certificate when you have to pay all from fifty to several hundred dollars per year afterwards, you’re right, not very cool.
So who are these guys offering a free SSL certificate? Believe it or not it’s an Israeli company called Startcom Ltd., a company most famous for a Linux distribution (Startcom Linux). They believe that the rights for a SSL certificate shouldn’t be bound to the financial capabilities of individuals and/or institutions, companies or organizations. And I couldn’t agree more.
At the time of this writing Startcom’s certificate isn’t trusted by the Microsoft Internet Explorer, but is supported by Mozilla Firefox, Safari and others. So does this mean I still have to educate users of Internet Explorer to manually install the certificate (or use the method described in MS KB article: 297681 - Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust) in order to get rid of the annoying security warning message shown in Figure 1 below? No.
First thing you should do is to open the IIS Manager on the Exchange Server, then expand Local Computer > Web Sites and take Properties of the Default Web Site. Now click the Directory Security tab and you will be presented with the screen shown in Figure 2 below.
If you’re running a front-end/back-end scenario you should only enable SSL on the front-end server(s), in other words, in such a situation only follow these steps on the front-end server(s).
Figure 2: Directory Security Tab
Now click Server Certificate and select Create a new certificate then click Next as shown in Figure 3 below.
Figure 3: Create a new Certificate
Select Prepare the request now, but send it later, then click Next (Figure 4).
Figure 4: Delayed or Immediate Request
Type a descriptive name for the Certificate (such as OWA SSL Certificate) then click Next (Figure 5).
Figure 5: Specify a descriptive name for the certificate
It’s time to enter our Organization name as well as the Organizational unit (Figure 6), do so then click Next.
Figure 6: Specify Organization and Organizational unit
Now specify the common name which should be the Exchange servers external FQDN (Fully Qualified Domain Name), that means the address which users type when they access OWA from the Internet. The common name is typically mail.domain.com, owa.domain.com or webmail.domain.com NOT https://mail.domain.com, webmail.domain.com/exchange or your public IP address. Some of you might think I go into too much detail here, but you won’t believe how many OWA issues I’ve seen, which in the end was caused by misconfigured common names in the actual SSL certificate. So it’s better to be on the safe side.
As many (especially small to midsized) companies don’t publish their Exchange servers directly to the Internet, but instead run the Exchange server on a private IP address, they let their ISP’s handle their external DNS settings. In most cases the ISP creates a so called A record named mail.domain.com pointing to the company’s public IP address, which then forwards the appropriate port (443) to the Exchange servers internal IP address.
When your have entered a Common Name like in Figure 7 below click Next.
Figure 7: Specifying the common name of the OWA server
Enter the Region/Country, State/Province and the City/Locality then click Next.
Figure 8: Geographical Information
Specify the location and the file to which you want to save the specified information, then click Next (you will need to copy/paste this information to a form on the Startcom site later on).
Click Next then Finish.
Requesting a Certificate from StartCom
Okay it’s time to get the certificate from Startcom, the first thing you should do is to open the certreg.txt file and copy the content to your clipboard, then click this link in order to get started. You have to register and create an account first. During this process a client certificate will be installed into your browser which allows you to access your account in the future. After access to your account is granted you have to validate your domain name first. For this choose the Validations Wizard tab. After that you can continue to the Certificates Wizard tab. As we’re going to use the certificate on an IIS web server, skip the private key generation after selecting SSL/TLS Server Certificates.
It's very important, that you use a valid e-mail address during the registration process to which you
have instant access to, as well as make sure you provide your own real name, address etc.,
failing to do so can in the worst case get your IP address and domain blocked from the StartSSL site.
You now need to paste the text from the certreg.txt file into the form in the bottom of the page, and then click Continue once again. After the request have been processed (takes a couple of seconds) you need to select one of the validated domain names, afterwards click Continue. Now copy/paste the text in the form to a file (name it SSL.CRT or something similar) then save it on the C: drive of the OWA server, and click Finish. You now get a chance to visit also the Tool Box tab and download the Certification Authority and Intermediate Authority certificates (required for IIS). Note you can skip these steps and do it manually later if you’re not running the certificate wizard from the browser on the OWA server itself.
Processing the Pending Request
Back on the OWA server open up the IIS Manager (if you closed in earlier on) then expand to and right-click the Default Web Site once again. Hit the Directory Security tab and click Server Certificate > Next and choose to Process the pending request and install the certificate then click Next (Figure 10).
Figure 10: Process the Pending Certificate Request
Enter the path to the SSL.CRT file containing the certificate (should be C:\ssl.crt unless you specified another name during that step), then click Next > accept the default SSL port (443) and click Next (Is it only me who starts to wonder how many times we actually clicked Next or Continue so far). Now verify the Certificate Summary and click Next then Finish.
Before we enable the SSL certificate on our Default Web Site there’s one more step to complete, but only if you didn’t run the Startcom Certificate Wizard on the OWA server itself, and thereby installed the Certification Authority and Intermediate Authority certificates into the Trusted Root Certification Authorities store.
Open an empty MMC on the OWA server, to do so click Start > Run and type MMC then click Enter. Then click File > Add/Remove Snap-in in the menu, now click Add and select Certificates (Figure 11).
Figure 11: Adding the Certificates Snap-in to the MMC
Choose Computer Account then Local Computer then click Next > Close and Ok.
Figure 12: Choosing Computer Account
Now drill down to Trusted Root Certification Authorities > Certificates and left-click the Certificates container then choose All tasks > Import as shown in Figure 13 below.
Figure 13: Importing the certificates to the Trusted Root Certification Authorities store
The Certificate Wizard appears. Click Next and specify the path to the ca.crt file (Figure 14) then click Next again.
Figure 14: Specifying the path to the ca.crt file
Accept to place the Certificate in the Trusted Root Certification Authorities (Figure 15) then click Next and Finish > OK.
Figure 15: Specifying the Certificate Store
Now follow the exact same procedures for the sub.class1.server.ca.crt certificate, so that all certificates are added to the store as shown in Figure 16 and 17 below.
Figure 16: StartCom Certification Authority
Figure 17: StartCom Class 1 Primary Intermediate Server CA
Enabling SSL on the Default Web Site
To enable SSL on the Default Web Site open the IIS Manager, then expand down to and take Properties of the Default Web Site. Now click the Directory Security tab then Edit under Secure Communications (Figure 19).
Depending on your specific Exchange setup (single box or FE/BE scenario etc.) as well as whether other non-Exchange related virtual directories have been created under the Default Web Site, you may wish to enable SSL on the Exchange and Public virtual directories individually instead of on the whole site. Also have in mind, enabling SSL on the Default Web Site can cause problems with OMA and Active Sync, for further details see MS KB article: 817379 - Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003.
Figure 19: Clicking Edit under Secure Communications
Here you should checkmark both Require secure channel (SSL) as well as Require 128-bit encryption (Figure 20) as most of the newer web browsers support 128-bit encryption.
Figure 20: Enabling required secure channel (SSL) and 128-bit encryption
Click Ok twice and close the IIS Manager. We can now move on to the client-side in order to verify that SSL connection to the OWA server works properly.
Dealing with the Client-Side
Ok it’s time to try accessing our SSL enabled OWA server by typing: https://mail.exchangehosting.dk/exchange. As you probably would have guessed we receive the security warning message shown back in Figure 1. As you might recall the reason for this is because Startcom’s certificate at the time of this writing, by default, isn’t trusted by popular browsers such as Internet Explorer FireFox, Mozilla etc. This means that in order to get rid of the warning message, we need to install the certificate on each client that will connect to OWA. As I briefly mentioned earlier in the article, Startcom has created a nifty site you can link to from, for example, the OWA 2003 forms-based authentication logon page. When you do so users can simply click this link to install the certificate where after she/he is automatically redirected back to the logon page once the certificate is installed (I’ve created an example page which is shown in Figure 21).
If you don’t know how to modify the forms-based authentication page, check out the links provided in the Related Reading section in the end of the article.
Figure 21: OWA Logon Page with Startcom Certificate Install link implemented
When you click the Startcom logo, which should link to http://www.startssl.com/?app=9 (without using _blank aka New Window), you will, depending on whether you have Windows XP SP2 applied on the client, receive a couple of warning messages to which you should click Yes where after the dialog box shown in Figure 22 below should appear. When clicking OK you are redirected back to the forms-based authentication page and will not get the Security Warning message in the future.
Figure 22: Confirmation box
Why should 3rd party certificate providers such as VeriSign, RapidSSL, InstantSSL, Entrust and all the others be allowed to charge up to several hundred dollars a year (and run a multi-million company) by providing something as simple as a certificate? Second, isn’t it a bit misleading to call a 30 day trial certificate a “free certificate�?? I believe so…
It’s about time to change the market trends and instead support companies like Startcom, so that permanently free certificates some day will be trusted by browsers like Internet Explorer, FireFox, Mozilla, Opera etc.
Startcom’s StartSSL website:
Customizing the OWA 2003 Forms-Based Authentication Logon Page:
Customizing the Outlook Web Access Logon Page: